No matter the breach, whether Target, Sony, or J.P.Morgan Chase, the attackers continue using the same tactics. What are these tactics you ask? Typically, the attacker sends a phishing email to one or more of the victim organization’s employees. This email contains either a malicious attachment or a link to a website controlled by the attacker that will deliver malware when visited. In either scenario, the attacker’s goal is to control the end user’s computer and then to use that access to move laterally throughout the company’s network to gain access to more valuable information. So, in essence, the attackers are battling for control of the endpoint.
As attackers continue to focus their attacks on the endpoint, it is important to understand the different approaches to stopping them. The following categories encompass today’s technologies that are designed to stop attacks against the endpoint:
- Anti-Virus – This category is defined as signature based, static code analysis (basically matching against known bad hashes). This type of technology is not typically effective against a determined attacker but does stop “nuisance” malware. The core capabilities of this category of protection includes signature based scans, scheduled and throttled scanning, memory and registry scanning, scans upon download and execution, incremental file scans, and virus removal and self-protection.
- Application Control – This category is commonly defined as the opposite approach to Anti-Virus technologies. Where Anti-Virus software looks for known bad files, application control identifies the known good files and binaries and then prevents anything else from running on the endpoint.
- Behavior Analysis – This category is also often categorized as live or real-time sandboxing. With this type of technology, the suspicious file is executed in a controlled environment and the behavior of the execution is analyzed and suspicious behavior, such is making certain registry changes, is flagged and the execution of the file is blocked.
- Dynamic Analysis – This category is similar to behavior analysis but is typically conducted offline, which basically means that the file is allowed to execute on the endpoint while the analysis is being conducted separately.
- Forensic Analysis – This category is often defined as the “endpoint DVR” or “Flight Recorder.” Software in this category typically captures every action taken on the host system. The information capture is then analyzed to determine if something malicious occurred. Most technology in this category includes kernel level monitoring and uses big data analytics to identify anomalous behavior.
To stop today’s advanced attacks, it is important to deploy a suite of technologies that include capabilities identified in each of the above listed categories. At Regis University, our faculty are committed to staying ahead of the most advanced attackers. Join us and learn how to win the battle for the endpoint!